Efficient and robust quantum key distribution with minimal state tomography 
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We introduce the Singapore protocol, a qubit protocol for quantum key distribution that is fully 
tomographic, more efficient than other tomographic protocols, and very robust. Under ideal cir- 
cumstances the efficiency is log2(4/3) = 0.415 key bits per qubit sent. This is 25% more than the 
efficiency of 1/3 = 0.333 for the standard six-state protocol, which sets the benchmark. We describe 
a simple two-way communication scheme that extracts 0.4 key bits per qubit and thus gets close to 
the information-theoretical limit. The noise thresholds that we report for a hierarchy of eavesdrop- 
ping attacks demonstrate the robustness of the protocol: A secure key can be extracted if there is 
less than 38.9% noise. 
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I. INTRODUCTION 

Almost all real-life implementations of schemes for 
quantum key distribution use qubits as the carriers for 
the quantum information, and most of them are variants 
of the very first proposal, the 1984 scheme by Bennett 
and Brassard (BB84, [T]). It has an efficiency of 1/2 un- 
der ideal — that is, noise-free — circumstances, which is to 
say that, on average, one secure key bit can be extracted 
for two qubits exchanged. 

The measurements performed in BB84 do not explore 
all of the qubit's Bloch sphere, but only probe a plane. 
The tomography of the qubit state is, therefore, partial 
rather than complete, which does not matter in ideal, 
noise-free operation, but it has its drawbacks when the 
quantum channel is noisy. By contrast, the "six-state 
protocol" (see, e.g., Ref. offers full state tomogra- 
phy; it is the qubit prototype of the higher-dimensional 
tomographic protocols introduced in Ref. 3 . 

The complete tomography comes at a price; for each 
key bit one has to exchange three qubits on average. Full 
tomography can be had, however, at a much lower cost, 
as is demonstrated by the protocols with minimal qubit 
tomography (MQT) that we describe here. They have 
an ideal efhciency of log2(4/3) — 0.415 and thus need 
only 2.41 qubits per key bit. Put differently, the MQT 
protocols are potentially 24.5% more efficient than the 
six-state protocol, their competitor among the standard 
tomographic protocols. 

The key observation is that the tomography of the six- 
state protocol is redundant, inasmuch as one measures 
six probabilities to determine the three parameters that 
specify the qubit state. By contrast, one measures only 



four probabilities in MQT to establish the three param- 
eters. As discussed in Ref. [^], qubit tomography of this 
minimal kind is possible indeed. Moreover, a simple one- 
loop interferometer setup can realize MQT for the polar- 
ization qubit of a photon [5j| . Non-interferometric setups 
are also possible [6| , and work very well in practice 0] ■ 

Key generation from the raw data is rather straightfor- 
ward in the six-state protocol where one performs a ba- 
sis matching as one does for BB84. A similar procedure 
can be applied to the raw data of MQT protocols — the 
"Renes pairing" [1], discussed in Sec. lIII Al — but then the 
achieved efficiency is no more than 1/3 = 0.333, the value 
of the six-state protocol. Thus, if one wishes, as we do, 
to exploit the advantage offered by MQT, one needs to 
abandon basis matching and the like in favor of another 
procedure. We introduce here one such alternative key 
generation method that is simple to describe, and to im- 
plement, which extracts 0.4 key bits per qubit and thus 
exceeds the benchmark value of 0.333 by much and gets 
quite close to the information-theoretical limit of 0.415. 

Here is a brief outline. We begin with considering ideal 
circumstances in Sec. [Ill In Sec. IIIIl we then discuss the 
key generation by two-way communication. The Singa- 
pore protocol is introduced in Sec. llVi with emphasis on 
its tomographic element. In Sec. |Vl we report the noise 
thresholds below which the Singapore protocol offers se- 
cure key distribution. We close with a summary. 

The account given here is a general description of the 
scheme and a report of all major results of the detailed 
analysis. This analysis itself is presented in two compan- 
ion papers [1, [l3] ■ 



II. IDEAL CIRCUMSTANCES 
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Let us consider ideal circumstances for a start. We 
emphasize the symmetry between the communicating 
parties — Alice and Bob — by a scenario in the spirit of Ek- 
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ert's entanglement-based protocol of 1991 [ll'|. A source 
distributes entangled qubits to Alice and Bob, one pair at 
a time. Ideally, the source emits the pairs in the singlet 
state |s), whose statistical operator 

PAB = = ^(l - CTA • ctb) (1) 

is a symmetric function of the Pauli vector operators cta 
and tTB for Alice's and Bob's qubit, respectively. 

For each qubit pair, one of the four detectors at Al- 
ice's end will respond, and one of Bob's four detectors. 
Each set of detectors realizes, for the respective qubit, the 
probability operator measurement (POM — in the math- 
ematical literature: POVM for positive operator valued 
measure) that consists of the four half-projectors 

Pfe = i(l + 4-a), for fc = 1,...,4, (2) 

where the unit vectors tk have equal angles between 
them, 

^ ^ 4 1 

tk ■ ti = -Ski - - , for A:,; = 1, . . . ,4. (3) 

Geometrically speaking, they are the normal vectors for 
the four faces of a tetrahedron, or one can picture them 
as pointing from the center of a cube to four nonadjacent 
corners; see Fig. 1 in Ref. Q for an illustration. Their 
linear dependence and completeness, stated respectively 

by 

4 4 

^4=0 and ^^44 =T, (4) 

fc=l k=l 

are basic properties of the tetrahedron vector quartet. 

With (T ^ (?A in Eq. ([2]) we have the members PAk 
for Alice's POM, and likewise (T — > (Tb gives Bob's POM. 
The 16 joint probabilities that Alice's fcth detector fires 
together with Bob's Ith detector are then given by 

Pkl = (PAkPBl) 

= ^tr {pAB (1 + tk • cta) (1 + ^ • ctb) } (5) 

ioi k,l = 1, 2, 3, 4. Knowledge of these pkis is tantamount 
to knowing pAB because the inverse relation 

4 

PAB = ("^^Afc - l)pki {6Pbi - 1) (6) 

k,l=l 

reconstructs pAB from the joint probabilities. Indeed, 
two-qubit tomography of this kind can be performed and 
is highly reliable in practice 12]. 

We can think of Alice's measurement as preparing 
Bob's qubit at random in the state corresponding to — 
that is, conditioned on — her unpredictable measurement 
result. In this sense, she is sending him a random se- 
quence of qubits through an effective quantum channel. 



In fact, if the pair source is located in Alice's laboratory, 
the pair emission in conjunction with her measurement 
is fully equivalent to a single-qubit source. Conversely, if 
Alice is really operating a single-qubit source with ran- 
dom output, so that the scenario is that of BB84, we can 
think of it as an Ekert scenario with a corresponding ef- 
fective two-qubit source. Therefore, our analysis applies 
to either physical situation. 

For the ideal source that emits the singlet states of 
Eq. H]), we have 

_ 1-4; _ / for fc = / , . . 

12 ~ \l/12forfc7^Z, 

that is, two corresponding detectors (fc = I) never fire 
together and the other twelve cases are equally probable. 
Accordingly, the mutual information between Alice and 
Bob is 

4 

Tab = log2 = log2 TT - 0.415 (bits), (8) 

where 

4 4 

Pk- = {PAk) = ' P-^ = ^^b;) = X^P'^' 

1=1 k=l 

are the marginal probabilities for her and him, respec- 
tively; here simply pk- — p i = \- This Iab value exceeds 
the value of ^ for the six-state protocol [13] by almost 
25%. 

The number Iab = 0.415 tells us that Alice and Bob 
can generate up to 0.415 secure key bits for every qubit 
exchanged through the quantum channel, that is, for ev- 
ery qubit pair they detect. If they had an appropri- 
ate error-correcting code at hand, the key generation 
could be done by one-way communication. Unfortu- 
nately, however, the best codes that are presently avail- 
able have an efficiency below the 0.333 benchmark set by 
the six-state protocol [M, J^] . 

III. KEY GENERATION BY TWO-WAY 
COMMUNICATION 

The standard methods for generating the secret key- 
bit sequence — for the BB84 scheme, the six-state proto- 
col, and others — all make use of two-way communication. 
Such procedures can also be designed for raw data char- 
acterized by the joint probabilities in Eq. ([7]). 

For ease of presentation, we assign letters A, B, C, D to 
the measurement results k,l = 1,2,3,4, so that the raw 
data make up a four-letter random sequence for Alice and 
another one for Bob. These sequences are such that the 
two letters for a qubit pair are never the same, and the 
twelve pairs of different letters are equally frequent. It is 
as if Alice were sending a random sequence of the four 
letters to Bob, who never receives the letter sent but gets 
either one of the other three letters equally likely. 
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A. Renes pairing 

Renes's method for key generation Q amounts to the 
foUowing. Suppose Ahee has letter A, to which she as- 
signs or 1 at random, say 1 to be specific. Then she 
chooses randomly one of the other three letters, say B, 
and communicates publicly to Bob: "If your letter is A, 
call it 0; if you have B, call it 1!" , whereby the letter for 
value is always stated first. Bob in turn reports success 
if his letter is A or B, failure if he has C or D. 

Since Alice has a 1/3 chance of guessing Bob's letter 
right when she pairs B with A, the success probability is 
1/3 and the failure probability is 2/3. In case of success, 
a pair of potential outcomes is identified with perfect 
(anti-)correlations and a key bit is obtained, in full anal- 
ogy to the pairs of outcomes that are selected by the basis 
matching of the BB84 protocol or the six-state protocol. 

Indeed, Renes's method is in the tradition of basis- 
matching procedures inasmuch as his pairing selects a 
2x2 submatrix from the 4x4 matrix of the joint prob- 
abilities of Eq. ((71). There is a crucial difference though: 
Only certain submatrices are useful in the BB84 proto- 
col and the six-state protocol and they are systematically 
chosen by the basis matching. But for the MQT proba- 
bilities of Eq. ([7]), the choice is not unique; you can pair 
A with B or with C or with D. Possibly useful corre- 
lations are unavoidably discarded by the Renes pairing 
in the unlucky failure cases and, therefore, this method 
does not take good advantage of the stronger MQT cor- 
relations and does not yield a higher efficiency than the 
six-state protocol. 



B. Beyond pairing: Iterative key extraction 



letter he got. Alice records her letter as part of a new 
sequence for later use. Bob does the same with his let- 
ter. The secondary sequences thus formed have the same 
statistical properties as the primary sequences. 

Alice and Bob repeat steps 1 and 2 as long as there are 
enough unused letters. Then they apply the same two- 
step procedure to the new sequences created in step 2b, 
thereby getting more key bits and two other new se- 
quences. Next, these sequences are processed, and so 
forth. 

As a result, Alice and Bob will share an identical se- 
quence of key bits. Nobody else knows the key bits be- 
cause the public announcements by Alice in step 1 and 
by Bob in steps 2a or 2b reveal nothing at all about the 
values of the key bits. 

When a key bit is generated from the original se- 
quences, which happens with probability |, two letters 
are consumed to get it. For a key bit from the first put- 
aside sequences, the probability is ^ x | and four letters 
are used altogether. For a key bit from the second put- 
aside sequences, eight letters are spent with a success 
probability of ^ x i x |; and so forth. 

If the original sequences are N letters long, we thus get 
+ + + ■ ■ ■)N key bits in total. The asymptotic 
efficiency is therefore 



lim — 

n — >oo 5 



= -^0.4, 



(10) 



which falls short of the theoretical maximum of 0.415, 
but not by much p^ . Owing to the geometric conver- 
gence, just a few rounds are sufficient in practice, the 
efficiencies being 0.333, 0.389, 0.398 for one, two, three 
rounds, respectively. In short, it is easy to get above the 
i efficiency of the six-state protocol. 



One can do much better by other procedures that do 
not rely on variants of BB84 basis matching and the like. 
We describe here one such method, which generates the 
secret key bits by an iteration and is rather simple to 
implement. 

We recall that the raw data consist of a four-letter ran- 
dom sequence for Alice and another one for Bob. Each 
round of the iterative extraction of the key bits then in- 
volves the following steps. 

Step 1: Alice chooses one letter at random, say A. She 
announces two positions in her sequence where this letter 
occurs, while not revealing which letter she has chosen. 

Step 2a: // Bob has two different letters at these posi- 
tions, say C and D, he forms two groups, one consisting 
of his letters (CD), one of the others (AB). He knows for 
sure that Alice's letter is in the second group. He de- 
cides at random to which group he assigns value and to 
which value 1. Then he announces the two groups and 
their values. Alice and Bob both enter the value of the 
group that contains Alice's letter as the next bit of the 
secret key. 

Step 2b: // Bob has the same letter twice, he an- 
nounces that this is the case, not telling, of course, which 



C. Hybridization 

In any practical implementation of the iterative key 
generation one has to settle for a finite number of rounds. 
It is then beneficiary to apply the Renes pairing in the 
final iteration round, i.e.. Step 2b': If Bob has the same 
letter twice, he chooses another letter at random to form 
a Renes pair, which he communicates to Alice. 

The efficiency is then 



- - 
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(11) 



for a total number of n rounds. Thus, this hybrid reaches 
the n-iteration yield of Eq. (|10p after n ~ 1 rounds. 



IV. THE SINGAPORE PROTOCOL 

The tetrahedron version of Renes's "spherical codes" 
Q uses the pairing method of Sec. IIII Al for the key gen- 
eration from the raw data obtained by MQT. It does 
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not take advantage of the tomographic power offered by 
MQT. 

In marked contrast, systematic state tomography is 
a defining element of the Singapore protocol on which 
we will focus now. The Singapore protocol is specified 
by (i) MQT for the acquisition of raw data; (ii) state 
tomography for the characterization of the source; (iii) 
key generation by the iteration method of Sec. IIIIBl or 
by the hybrid method of Sec. IIII C[ or by some other 
procedure of high efhciency The choice of method in 
(iii) distinguishes variants of the Singapore protocol, but 
they all have (i) and (ii) in common. 



A. The tomographic element 

The tomographic element in the Singapore protocol ex- 
ploits Eq. After the detection of many qubits, Alice 
and Bob select a random subset of the qubit pairs and 
reveal to each other, and everybody else, the measure- 
ment results obtained for them. The relative frequencies 
of the pair events — for which fraction of the pairs did she 
get, say, a B and he a D? — can serve as simple estimates 
for the joint probabilities (p24 for the BD events). When 
used in Eq. ([5]), they provide an estimate of the two-qubit 
state emitted by the source. The more refined methods 
of quantum state estimation [l7j are likely to give better 
and more reliable estimates, if the need arises, but in the 
context of the Singapore protocol this is less important. 

Rather, Alice and Bob check whether the actual rela- 
tive frequencies are consistent with the expected output 
of the qubit-pair source. They proceed with the key gen- 
eration only if the source passes the test. If it fails, the 
data are rejected as unreliable, and a different source is 
used. The "source" encompasses here everything that is 
involved in delivering the qubits to Alice and Bob: the 
physical source plus the transmission lines. In the equiv- 
alent scenario in which Alice produces qubits and sends 
them to Bob, the tomography establishes the properties 
of the quantum channel through which the qubits are 
transmitted. One can then judge whether the channel is 
acceptable or not. 

One could think that an essential part of the checking 
is to make sure that the qubit pairs are statistically in- 
dependent. This would require a careful look at the joint 
probabilities for two or more qubit pairs. With a limited 
number of data sacrificed for the purpose of tomography, 
the confidence level will be high for two pairs, lower for 
three pairs, even lower for four pairs, and so forth. But 
if Alice and Bob are willing to pay the price, they can 
reach the confidence level they desire. 

In fact, however, such elaborate checks of statistical 
independence are not necessary because one can rely on 
the quantum version of the de Finetti theorem [l8|. It 
ensures that the ensemble of qubit pairs is, for all prac- 
tical purposes, equivalent to an ensemble of statistically 
independent pairs if all operations (consistency check of 
the relative frequencies of paired qubits iterative key gen- 



eration) use randomly selected pairs. 

It is worth emphasizing that Alice and Bob must 
have criteria according to which they decide whether the 
source is trustworthy. With a finite number of data at 
hand, there can never be absolute certainty about sta- 
tistical properties. In this respect, the tomography of 
the Singapore protocol, and the conclusions about secu- 
rity drawn from it, is on equal footing with the typicality 
assumptions in the security analysis of schemes for quan- 
tum key distribution that follow the paradigm of BB84. 

It is, so to say, a matter of your level of distrust. When 
testing a coin that is supposedly unbiased, many would 
have serious doubts if a million trials gave 70% heads. 
But if you are leery, you might mistrust the coin after 
getting seven heads in ten trials. 

B. Acceptable sources 

An acceptable source would emit independent qubit 
pairs in the singlet state of Eq. ([T]) with an admixture of 
unbiased noise — or, equivalently, the noise of an accept- 
able transmission channel must be unbiased . Accord- 
ingly, the statistical properties of the observed detection 
events must be consistent with the joint probabilities 

Pki = ^il~Ski) + ^Ski (12) 

that derive from the two-qubit state of the form 

PAB = |s)(l-e)(s| + ^, (13) 

where e specifies the noise level: no noise for e = 0; noth- 
ing but noise for e = 1 . The range of interest is < e < | 
because pab is separable if e > |, and then the correla- 
tions exhibited by the pkis are of a classical nature and 
possess no genuine quantum properties. The mutual in- 
formation between Alice and Bob for the pkiS of Eq. (I12p . 

^AB = (l - 9 ^°S2 (^) + i log2 e , (14) 

decreases monotonically from the e = value of 0.415 to 
0.0292 for e = |. 

It is improbable that the noise in real quantum chan- 
nels is truly unbiased. Therefore, Alice and Bob ensure 
the joint probabilities of Eq. by twirling: for each 
pair of detection events the assigning of the letters A, B, 
C, D to the detectors is done by a random choice of one 
of the 24 permutations of the letters. 

C. Eavesdropping 

All noise is potentially resulting from eavesdropper 
Eve's attempts at acquiring knowledge about the key 
bits. She is given complete control over the source, and 
the best she can do is to prepare a pure state in which 
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all the qubit pairs sent to Alice and Bob are entangled 
with a gigantic ancilla. 

Upon tracing over the ancilla degrees of freedom, we 
get the state of many qubit pairs received by Alice and 
Bob which — as a result of the full tomography or as an 
implication of the quantum de Finetti theorem — is known 
to be a product state with one factor for each qubit pair. 
As a consequence of the Schmidt decomposition of the 
pure entangled state, the reduced ancilla state is unitarily 
equivalent to this product state, so that Eve's ancilla 
consists of independent qubit pairs, one for each pair sent 
to Alice and Bob. 

Accordingly, Eve's optimal strategy Q amounts to en- 
tangling each qubit pair emitted by the source with a 
two-qubit ancilla, and to keep all these ancillas as quan- 
tum records when the qubit pairs are sent to Alice and 
Bob. Eve must ensure that the noisy singlet state (flSl) 
results when |5')(5'| is traced over the ancilla degrees of 
freedom, where jS") is the ket for the joint state of a qubit 
pair sent to Alice and Bob and the qubit pair of its an- 
cilla. This requirement determines | S') completely, up to 
irrelevant unitary transformations on the ancilla (see [sl 
and the appendix in j20|). namely, 

|<5') |si2S34)Vl - e + |si3S24)»\/e- (15) 

Here, \sjk) is the singlet for qubits j and fc, whereby 
qubits 1 and 2 are sent to Alice and Bob, and qubits 3 
and 4 compose the ancilla. Thus, in this most symmetric 
choice for jS*), the qubit pair of Eve's ancilla is on equal 
footing with the pair sent to Alice and Bob. 

V. NOISE THRESHOLDS FOR THE 
SINGAPORE PROTOCOL 

We consider four different eavesdropping attacks. In 
the first attack. Eve tries to learn as much as she can 
about the original letter sequences recorded by Alice and 
Bob and does not wait until the public communication 
between them reveals additional clues. Eve can thus mea- 
sure her ancillas immediately after the qubits haven been 
sent to Alice and Bob, or even before the qubits leave 
the source, so that this attack could be realized by just 
emitting a sequence of mixed two-qubit states from the 
source. This mixed-state attack is relevant if Eve cannot 
store the ancillas for later processing and Alice and Bob 
use a suitable code, such as those discussed in Ref. fl3 |. 
to generate the cryptographic key by one-way communi- 
cation. If Eve can, however, process the ancillas as late as 
she wishes, we have the situation discussed in Sec. IV CI 

In the second attack, the raw-data attack on the gener- 
ated key bits. Eve takes into account what she learns from 
the public communication between Alice and Bob when 
they execute the steps of Sees. IIIIBI and IIII CI But she 
continues to rely on the data she gains by the mixed-state 
attack. Given the limitations of present-day technology, 
this is the strongest attack Alice and Bob have to fear in 
practice. 



A much stronger attack, however, is the third attack 
we consider, the collective attack on the generated key 
bits. Here, Eve performs a collective measurement on 
all the ancillas to those qubit pairs that contribute to 
the key bit under attack, exploiting fully the information 
revealed publicly by Alice and Bob while they execute 
steps of Sees. IIII Bl and nil CI Depending on the iteration 
round in which the key bit is generated, this will involve 
two, four, eight, . . . ancillas, each of them itself a qubit 
pair. 

In order to implement the collective attack. Eve must 
be able to store the ancillas for a long time, because Al- 
ice and Bob can process their raw data long after it has 
been acquired, and she must be able to process the an- 
cillas jointly. Both tasks are beyond the quantum tech- 
nology of today and the foreseeable future. But once the 
technology exists, such attacks will be a matter of real 
concern. 

Therefore, we should also consider the strongest at- 
tack conceivable: the message attack. Here, Eve waits 
even longer, until after Alice and Bob have processed the 
keys generated by the steps of Sees. IIII Bl and IIII CI by 
the standard methods of privacy amplification and er- 
ror correction, and have used the final sequence of key 
bits to encrypt a message. Rather than trying to learn 
the values of the key bits at any intermediate stage. Eve 
attempts to decrypt the message itself, thereby making 
optimal use of all the public information exchanged be- 
tween Alice and Bob up to, and including, the encrypted 
message. 

We are content here with giving brief accounts of the 
results of analyzing these eavesdropping attacks. The 
technical details are reported in two companion papers, 
Refs. Il and dl. 

A. Mixed-state attack 

For each of Alice's detection events, there is a con- 
ditioned ancilla state of rank 2. It is as if Alice were 
sending a random sequence of four different ancilla states 
to Eve, each occurring one-fourth of the time. Eve ex- 
tracts the information accessible to her by measuring the 
ancillas with the POM that is optimal for this purpose. 
For e > 0.1725, Eve's optimal POM has four possible 
outcomes and its structure is analogous to the optimal 
POM for the six-state protocol that is given in Ref. [2l| . 
For e < 0.1725, the optimal POM has five elements and 
extracts slightly more information (less than 1%) than 
the four-member POM. 

In the more relevant range of e > 0.1725, the joint 
probabilities for Alice's fcth result and Eve's Ith result 
are given by the pkis of Eq. (O with e replaced by 

77= (^l-|e-y|I)'. (16) 
Upon presenting this relation in the form 

(l-|e)2 + (l-ry)2 = l, (17) 



6 




by the right-hand side of Eq. p4|) with e 
e < 77 and therefore I^b > Iae for 



A/ 




FIG. 1: Mutual information and yield for key generation by 
one-way communication. Top figure: Mutual information 
about the raw data between Alice and Bob (/ab, curves o) 
and between Alice and Eve (/ae, curves 6), for the range 
< e < I of nonseparable source states. The solid lines are 
for the four-outcome POM of the MQT protocols, the dashed 
lines for the six-outcome POM of the six-state protocol. For 
both POMs, the intersection of the respective a and b curves 
is at e = 0.2363. The dash-dotted curve c is the common 
Ifolevo bound. It intersects the curves a at e — 0.1265 and 
e = 0.1086 for the four-outcome POM and the six-outcome 
POM, respectively. Bottom figure: The Csiszar-Korner yields 
AI = Jab — Iae for the mixed-state attack of Sec. IV Al for the 
four-state POM (solid line) and the six-state POM (dashed 
line), for < e < 0.24. The two dash-dotted lines show the 
respective yields for the message attack of Sec. IV Cl Note that 
these plots refer to one-way communication schemes, whereas 
the Singapore protocol and the six-state protocol rely on two- 
way communication. 



we observe a fundamental symmetry between the noise 
level e in the AUce-Bob channel and the noise level rj in 
the Ahce-Eve channel. Note in particular that 77 = 1 for 
e = and ij = for e = |. That is, when there is no 
noise in the channel from Alice to Bob, there is nothing 
but noise between Alice and Eve; and when Alice and 
Bob receive their qubits in a separable state, the effective 
transmission from Alice to Eve is noiseless. 

The resulting mutual information between Alice and 
Eve, /ae, and also that between Bob and Eve, is given 



e < 



1 



V3 



0.2363. 



rj. We have 



(18) 



The Csiszar-Korner (CK) theorem [22| then ensures that 
a secret key can be generated, by a fitting code for one- 
way communication, with an efficiency of /ab — /ae • We 
note that the six-state protocol has the same CK thresh- 
old and the CK efficiency of MQT protocols, such 
as the Singapore protocol, is larger for all values below 
their common CK threshold. See Fig. [T] for a graphical 
summary of these observations about the mixed-state at- 
tack. 



B. Attacks on the generated key bits 

This CK threshold does not apply, however, if Alice 
and Bob generate the binary key with the iterative proce- 
dures of Sees. HUB I and nil Cl which involve two-way com- 
munication. The secondary sequences formed in step 2b, 
from primary sequences characterized by e, have statisti- 
cal properties of the kind stated by the joint probabilities 
in Eq. © but with e replaced by €'^/[l + i(l - e)^], i.e., 
with quadratically less noise. Accordingly, the raw key 
bits that Alice and Bob obtain in the successive rounds 
have error probabilities of 



for the nth round, 



3e 



(19) 

so that the quality of the bits improves markedly from 
one iteration round to the next. But also Eve's eaves- 
dropping gets more efficient. She has two ancillas to 
examine for each first-round bit, four ancillas for each 
second-round bit, . . . , 2" ancillas for each nth- round bit. 

We illustrate this matter by a closer look at the first- 
round bits; see the n = 1,L = 2 row in Table [H For 
each of Alice's bits, there is now a two-ancilla state of 
rank 9, conditioned on her bit value [l3|. It is as if she 
were sending a random sequence of two different two- 
ancilla states to Eve, both occurring equally frequently. 
There are then various strategies for Eve, of which the 
two extreme ones are the raw-data attack and the mes- 
sage attack introduced above, and the collective attack 
is intermediate. 

In the raw- data attack [9], Eve measures the ancillas 
one-by-one and employs the POM of Sec. IV AI for this 
purpose, so that she is not modifying her POM in the 
light of the information exchanged by Alice and Bob pub- 
licly. Just like it is the case for the mixed-state attack, 
there is no need for Eve to wait until this information is 
available. She can measure the ancillas immediately after 
sending the qubits to Alice and Bob or, equivalently, she 
could send suitably prepared mixed two-qubit states to 
them. The public information is only taken into account 
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for the interpretation of the data. While this raw-data 
attack is rather weak, it is of quite some interest because 
it is the best an eavesdropper can do with present-day 
technology. 

Not unexpectedly, the collective attack [lol | is much 
stronger. For its implementation. Eve applies the POM 
that is optimized for the two-ancilla states that she re- 
ceives. The difference is indeed striking: For the raw-data 
attack, Alice and Bob are on the safe side if e < 0.3324, 
whereas they fall prey to the collective attack unless 
e < 0.2628. 

We note that both values are above the CK threshold of 
Eq. (fT8|) . If they only have to fear these collective attacks, 
Alice and Bob can, therefore, extract secure key bits from 
their sequences of raw first-round bits if e < 0.2628; and 
for e < 0.2945 the final-pairing bits of the first round can 
be trusted for key extraction. For this purpose, Alice 
and Bob will have to use an appropriate error-correcting 
code and a privacy amplification protocol for the effective 
binary channel thus defined, much like one does it in 
other protocols for quantum key distribution. 

But, further information becomes available to Eve dur- 
ing the error correction and the privacy amplification. 
The message attack fld\ takes all of this additional infor- 
mation into account as well. As in the collective attack. 
Eve exploits the conditioned two-ancilla states, yet in a 
much more exhaustive manner. The resulting thresh- 
old values are obtained by calculating the Holevo bound 
[2^ . [23 | , which in fact is technically much less demand- 
ing than the search for the optimal POMs needed for the 
raw-data attack and the collective attack. 

It follows that the absolute noise thresholds for the 
first-round keys are e = 0.2182 for the iteration bits and 
e — 0.2422 for the final-paring bits. Both are noticeably 
below the thresholds for the collective attack, and the 
first one is even below the CK threshold. 

The analysis for the second-round bits is analogous but 
now there are four ancillas to be examined jointly; and 
there are eight ancillas for each key bit of the third round; 
and so forth. We report in Table U the thresholds found 
in Ref. for the raw-data attack and in Ref. [l^l for the 
collective attack and the message attack, for both the key 
bits gained during the iteration step of Sec. IIII Bl and by 
the final pairing of Sec. IIII CI Note that the thresholds 
are consistently higher for the later iteration rounds, and 
the message-attack asymptotic threshold for the final- 
pairing bits at e = 0.3893 identifies the noise level be- 
low which secure key generation is assuredly possible. In 
practice, of course, one would operate well below this 
value to have a reasonable efficiency. 

Consider, for example, a noise level of e = 0.25, slightly 
above the BB84 threshold [H, [11]. If Alice and Bob 
only have to fear raw-data attacks, all iteration rounds 
give secure bits including the L = 1 final-pairing bits 
of Renes's scheme. These L — 1 bits are not secure, 
however, if one must protect against collective attacks. 
And if Alice and Bob are afraid of message attacks, they 
can only use the iteration bits from the third and later 



TABLE I: Noise thresholds for the Singapore protocol. For 
n = 1, 2, or 3 iterations, involving L — 2" letters respectively, 
we report the thresholds for the three eavesdropping attacks 
considered in Sec. IV Bl the raw-data attack [^, the collective 
attack [13], and the message attack [l^. For each attack, 
there are two columns of threshold values, the thresholds for 
the key bits gained during the iteration step of Sec. lIII Bl (e;t). 
and the thresholds for the key bits generated by the final 
pairing of Sec. IIII CI (tpp) if the iteration stops with the nth 
round. The entries for L = 1 refer to Renes's original pairing 
procedure of Ref. @], discussed in Sec. IIII Al The last row 
states the asymptotic thresholds for n,L 2> 1. The values 
for the message attack are absolute thresholds; there is no 
eavesdropping strategy with lower thresholds. 
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rounds and the final pairing bits from the second round 
onwards. 



C. Message attack for one-way key generation 

If Eve can store the ancillas and process them at a late 
time, she can also implement a more powerful attack on 
one-way key generation than the mixed-state attack of 
Sec. IV Al She would wait until Alice and Bob have en- 
crypted a message after performing the necessary error 
correction and privacy amplification, and would then at- 
tack that message. Thereby, Eve's power is only limited 
by the Holevo bound. 

Now, the six ancilla states conditioned on Alice's mea- 
surement result of the six-state POM and the four ancilla 
states for the four-state POM are unitarily equivalent 
rank-2 states with nonzero eigenvalues 1 — and ^e; 
and the unconditioned ancilla state is the same for all 
POMs, the singlet with an admixture of unbiased noise 
of (|13p . Accordingly, there is a common Holevo bound 
for the four-outcome POM of the MQT protocols and the 
six-outcome POM of the six-state protocol; see Fig. [TJ 

The corresponding noise thresholds turn out to be 
quite low: e = 0.1086 for the six-outcome POM, and 
e — 0.1265 for the four-outcome POM. One is clearly re- 
warded here for employing a minimal tomographic POM 
rather than a POM with redundancy. 



VI. SUMMARY AND CONCLUDING 
REMARKS 

In summary, the Singapore protocol for quantum key 
distribution introduced here can tolerate much higher 
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FIG. 2: Yield of the Singapore protocol under the message 
attack. The plots show the yield for key generation that uses 
up to L = 8 letters of the raw-data sequences. The various 
curves are for L = 1: Renes's original pairing scheme, L — 2: 
termination after the first round, L = 4: termination after 
the second round, and L = 8: termination after the third 
round. In the two top plots, which cover the ranges e < 0.25 
and 0.21 < e < 0.25, the curves for L = 4 and L = 8 are in- 
discernible. They are resolved in the two bottom plots, where 
0.25 < e < 0.3 and 0.295 < e < 0.335. The various cusps in 
the curves are at the threshold values of the last column pair 
in Table ID 



noise levels than the BB84 protocol and is substantially 
more efficient than its tomographic competitor, the six- 
state protocol. The raw data, which consists of two 
random four-letter sequences with correlations between 
them, can be converted into secret key bits by an itera- 
tive procedure that uses two-way communication. 

The results of the security analysis — detailed accounts 
given in Refs. [loj — are concisely summarized in Ta- 
ble U and Fig. [51 Table U reports the noise thresholds 
for the hierarchy of eavesdropping attacks considered: 
the raw-data attack, the collective attack, and the mes- 
sage attack. The weakest of them is the raw-data attack, 
which is the one that is to be feared within the limita- 
tions of today's technology, and the most powerful attack 
is the message attack, which is as strong as the laws of 
physics permit and thus determines the absolute noise 
thresholds. 

These thresholds are clearly visible in the plots of the 
yield that are shown in Fig. [2l Consistent with the 
thresholds in Table U a nonzero yield can be had for 
e < 0.242 with a single round of key generation, whereas 
two or more rounds are needed for larger noise levels, 
with three rounds being sufficient for e < 0.334. 

It should be kept in mind that our analysis refers to 
the specified procedure for generating the key bits that 
is introduced in Sec. IIIII When a different jgrocedure is 
adopted, such as those alluded to in Ref. [16], the noise 
thresholds will be different as well. 

We wish to emphasize that the higher efficiency of 
the Singapore protocol does not result from a deliberate 
asymmetry, as it is the case in the asymmetric variant 
of BB84 that is thoroughly studied by Lo, Chau, and 
Ardehali in Ref. Both the six-state protocol and 

the Singapore protocol are symmetric in the sense that 
all of Alice's and Bob's detectors have the same a priori 
probability of registering the next qubit. 

Asymmetric versions of the Singapore protocol can be 
realized either by distorting the tetrahedrons [11] or by 
using a source that emits the qubit pairs in a biased state 
rather than the singlet. In the absence of noise, the effi- 
ciency of distorted-tetrahedron schemes can be as close to 
unity as one wishes, quite analogously to the asymmetric 
BB84-type protocol of Ref. [l^, but then it is very costly 
to perform reliable tomography. 
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